Quick How To - Amazon Identity and Access Management IAM

Nov 7, 2015 • Jonathan Frappier

My poor lab has had enough, time to rebuild. I’ve always used a Windows Domain for authentication, and you can make that reasonably small but during this rebuild I am going to try and leverage Amazon Directory Services…because cloud? Before creating your directory service, however, you should setup accounts in Identity and Access Management, or IAM. IAM is a free service, so you can use this without incurring any additional cost.

Log into the AWS Management Console and find Identity & Access Management (green key icon) under Security & Identity. First I am going to setup a directory services user and group. Whenever possible, and Amazon supports this, I assign permissions to group so it is easy to change who has access later on. It generally also makes it easy to audit.

Before getting started, I will also edit the default password policy which can be found under account settings in the left navigation pane. Chose a password policy that you are comfortable with, or for business that fits your security policies, then click Apply password policy.

For individual users accessing services, I use a different username than their regular accounts. I do this whether it is Microsoft AD or even local machine access. Click on Users >> Create New Users, enter a username and click create. Download the user credentials and store them in a safe place.

Click the checkbox for the user you just created and click User Actions >> Manage Password. Here you can set an auto generated password, or an administrator assigned password. This is also where you would force the user to change their password at next login. I assigned a specific password and set to require a new password at next sign-in.

In the details menu in the left navigation pane click on Groups >> Create new Group and enter a name for your group. For example vxprt-admins

Now click Next Step at the bottom of the page. You can now attach policies to the group, in this case I will select AWSDirectoryServiceFullAccess since the users in this group will be managing directory services. Click Next Step again, confirm the settings and click Create Group.

Click the checkbox for the group and click on Group Actions >> Add Users to Group; select the user or users you just created and click Add Users. Now that a user has been created, and assigned to a group with privileges click on Dashboard. Here you can find the IAM user sign in link. Copy the link and sign in with the user you just created - what were the results?

Well if you were following along with my blog post, you should have been prompted to change the password as we see above. Now that you are signed in what do you see? Yea, I see everything as well, not exactly what I expected - let’s poke around. Click on EC2 - well that is promising seems I am not authorized which is what I would expect based on the group privileges I assigned.

Now, just to confirm, click on Launch Instance and select the Amazon Linux AMI

Cool - permissions working as expected so far. Now Navigate back to the console (the terracotta colored box on the top left side of the page) and click Directory Service… no errors! In my next post I will setup AWS Directory Serivces and hopefully down the road join my new lab vCenter to it.

In this post, I want to review something I have been using for a few years to stay productive at work. Before we get to that, however, there is something I need you to accept - you cannot multitask. Okay, maybe you can breath and chew bubblegum while working, but when it gets past some of the bodies basic functions, you simply can’t do more than one thing at a time. If you have manager who expects you to multitask, what they really mean is for you to be able to have multiple different projects or technologies in your work queue at the same time, but you can only ever do one of those things at a time.

Ghost Inspector is a tool for generating and continuously monitoring web sites and web applications, since it is free for up to 100 tests, I thought I would give it a try to ensure certain elements of my blog are working as expected. You can sign up for your free account at ghostinspector.com